diff --git a/internal/notify/notify.go b/internal/notify/notify.go
index ea57155..95a52ce 100644
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -34,8 +34,37 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
+	// ErrInvalidScheme is returned when a URL uses a scheme
+	// other than http or https.
+	ErrInvalidScheme = errors.New(
+		"URL scheme must be http or https",
+	)
+	// ErrEmptyHost is returned when a URL has no host component.
+	ErrEmptyHost = errors.New("URL host must not be empty")
 )
 
+// parseWebhookURL parses and validates a webhook URL, ensuring it uses
+// http or https and has a non-empty host. This provides real SSRF
+// protection by restricting the URL scheme at configuration load time.
+func parseWebhookURL(raw string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(raw)
+	if err != nil {
+		return nil, fmt.Errorf("parsing URL: %w", err)
+	}
+
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return nil, fmt.Errorf(
+			"%w: got %q", ErrInvalidScheme, u.Scheme,
+		)
+	}
+
+	if u.Host == "" {
+		return nil, ErrEmptyHost
+	}
+
+	return u, nil
+}
+
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@@ -68,7 +97,7 @@ func New(
 	}
 
 	if params.Config.NtfyTopic != "" {
-		u, err := url.ParseRequestURI(params.Config.NtfyTopic)
+		u, err := parseWebhookURL(params.Config.NtfyTopic)
 		if err != nil {
 			return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
 		}
@@ -77,7 +106,7 @@ func New(
 	}
 
 	if params.Config.SlackWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.SlackWebhook)
+		u, err := parseWebhookURL(params.Config.SlackWebhook)
 		if err != nil {
 			return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
 		}
@@ -86,7 +115,7 @@ func New(
 	}
 
 	if params.Config.MattermostWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.MattermostWebhook)
+		u, err := parseWebhookURL(params.Config.MattermostWebhook)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
@@ -183,7 +212,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -265,7 +294,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}